SigmaHQ/rules/windows/process_creation/win_renamed_jusched.yml
2020-09-07 01:28:08 +04:00

27 lines
813 B
YAML

title: Renamed jusched.exe
status: experimental
id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
description: Detects renamed jusched.exe used by cobalt group
references:
- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
tags:
- attack.t1036
- attack.execution
author: Markus Neis, Swisscom
date: 2019/06/04
logsource:
category: process_creation
product: windows
detection:
selection1:
Description: Java Update Scheduler
selection2:
Description: Java(TM) Update Scheduler
filter:
Image|endswith:
- '\jusched.exe'
condition: (selection1 or selection2) and not filter
falsepositives:
- penetration tests, red teaming
level: high